Hands-On Kubernetes on Windows
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Hyper-V isolation

Hyper-V isolation is the second type of isolation available for Windows containers. In this type of isolation, each container is running inside a dedicated, minimal Hyper-V virtual machine and can be briefly summarized as follows:

  • Containers do not share the kernel with host OS. Each container has its own Windows kernel.
  • Isolation is provided at the virtual machine hypervisor level (requires Hyper-V role to be installed).
  • There are no compatibility limitations between the host OS version and container base OS version.
  • This is recommended for the execution of untrusted code and multi-tenant deployments as it provides better security and isolation.

The details of the Hyper-V isolation architecture can be seen in the following diagram:

This type of isolation comes at a cost that you have to take into account when choosing the isolation level:

  • Hyper-V isolation involves virtualization overhead, higher memory, and CPU usage footprint compared to process isolation, but still provides much better performance than running a full VM with Windows Nano Server. You can check the memory requirements for running containers with different isolation levels in the following table.
  • Container spin-up time is slower compared to process isolation.
  • Requires nested virtualization when used for containers running on a VM. This may be a limitation for some hypervisors and cloud deployments. The following table shows the memory requirements for Windows Server 1709 containers:
  
        
Container base image           Process isolation (WSC)           Hyper-V isolation
  
Nano Server           30 MB           110 MB + 1 GB pagefile
  
Server Core           45 MB           360 MB + 1 GB pagefile

 

The container images remain unchanged compared to process isolation; you only need to specify a different isolation level when creating the actual container. You can do this using the --isolation=hyperv parameter:

docker run -d --isolation=hyperv mcr.microsoft.com/windows/nanoserver:1809 cmd /c ping localhost -n 100

Note that in this case, even if you are running Windows 10, version 1903, you can use the container base image version 1809 without any limitations.

Hyper-V isolation is the default level of isolation when running containers on Windows 10, so the --isolation=hyperv parameter is not required. The opposite is also true; process isolation is the default level for Windows Server and if you want to use Hyper-V isolation, you have to specify it explicitly. The default isolation level can be changed in the  daemon.json configuration file by specifying the isolation parameter in  exec-opts. For more information, please refer to  https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file and https://docs.docker.com/engine/reference/commandline/dockerd/#docker-runtime-execution-options.
上一章目录下一章